Failing to Encrypt Data
The high cost of failing to encrypt protected health information.
By Michael L. Smith, R.R.T., J.D.
On December 26, 2013, a dermatology practice agreed to pay $150,000 to settle a possible violation of the Health Insurance Portability and Accountability Act (HIPAA). The practice reported a data breach after a thumb drive containing the unencrypted protected health information (PHI) of 2,200 patients was stolen from the vehicle of one of the practice's staff members. The dermatology practice and its patients are now incurring the high cost of failing to encrypt electronic PHI.
Since 2009, the Breach Notification Rule has required every covered entity to report the loss or theft of unsecured PHI to the Department of Health and Human Services (HHS) Office of Civil Rights (OCR). A covered entity is not required to report the loss or theft of secured PHI under the Breach Notification Rule. Obviously, covered entities should at least consider the available methods to secure their PHI.
Secured PHI is information that has been rendered unusable, unreadable, or indecipherable by unauthorized individuals. According to HHS, encryption and destruction are the two methods approved to make PHI unusable, unreadable, or indecipherable. HHS defines encryption as the use of an algorithmic process to transform the data into a form in which there is a low probability of assigning meaning without use of a confidential process or key and such confidential process or key that might enable decryption has not been breached. Data that is only protected by a password is not encrypted for purposes of the Breach Notification Rule. Consequently, the loss or theft of data that is only password-protected will be a data breach that must be reported to the OCR.
The Breach Notification Rule also requires every covered entity to have written policies and procedures on the Breach Notification requirements, and requires the covered entity to train its staff on those requirements. The OCR investigates all the reports of the theft or loss of unsecured PHI under the Breach Notification Rule and specifically looks for compliance with these requirements. The OCR may impose monetary and other sanctions on covered entities based upon the specific findings after a breach of unsecured PHI.
In the investigation of the dermatology practice, the OCR found the practice impermissibly disclosed the PHI of more than 2,000 individuals by not utilizing reasonable safeguards, encryption, to protect the electronic PHI on the thumb drive. The OCR investigation also revealed the practice did not have written policies and procedures on the Breach Notification requirements, the practice had not trained its staff in the Breach Notification requirements, and the practice had not performed a thorough risk assessment as required by the Breach Notification Rule. The practice did not have its required policies in place until months after the breach and did not complete its risk assessment until almost a year after the breach.
In addition to the $150,000 settlement, the dermatology practice must also incur the expense of notifying all of the patients of the data breach. Most covered entities also incur the cost of providing their patients with identity theft insurance, which can cost several hundred dollars per patient. Had the dermatology practice encrypted the thumb drive, the electronic PHI, while lost, would not have been usable by the unauthorized individual. Had the dermatology practice encrypted the thumb drive, the practice would not have been required to report the data breach to the OCR.
Data encryption is not currently required by the Breach Notification Rule, but the cost of encrypting electronic PHI is minimal compared to cost of a data breach to covered entities and their patients.
Michael L. Smith, JD, RRT is board certified in health law by The Florida Bar and practices at The Health Law Firm in Altamonte Springs, Fla. This article is for general information only and is not a substitute for formal legal advice.